Invalid username/password combination is not working in this coding.

// Everything is working fine in this code but when I put wrong username/password is does nothing. It must show the error message but it does not. Can anybody help me on this .

Here is my coding.

[php]

<?php include 'functions.php'; if(loggedin()){ header("location:userarea.php"); exit(); } if(isset($_POST['login'])){ $username = $_POST['username']; $password = $_POST['password']; $rememberme = $_POST['rememberme']; if($username&&$password){ $login = mysql_query("SELECT * FROM rememberme WHERE username = '$username'"); while($row = mysql_fetch_assoc($login)){ $db_password = $row['password']; if($password == $db_password) $loginok = TRUE; else $loginok = FALSE; if($loginok == TRUE){ if($rememberme=="on") setcookie("username",$username,time()+7200); elseif($rememberme=="") $_SESSION['username'] = $username; header("location:userarea.php"); exit(); } else die("Incorrect username/password combination"); } } else die("Please enter username and password"); } ?>

Login In Here
Username:
Password:
Rememberme:

[/php]

You are using obsolete Mysql code. Use PDO or Mysqli.

You have your else in a WHILE loop that will never run if the username does not match in the database. First check if there is a result from your query. (i.e: there is a matching username). If no results, show your error. If there is a result run the rest of your code.

You also dont need to select the entire row of data. (*). You only need username and password which by the way is clear you have not encrypted. You should NEVER EVER EVER store a plain text password. You are not being consistent with your use of curly braces either. There is also an extra layer of coding you dont need with your $loginok = FALSE;/ $loginok = TRUE;. Just run the relevant code there unless you are using those variables somewhere else.

You are also vulnerable to an SQL injection attack.

I would suggest you get refreshed on the basics of coding.